Security audit

Datacomply Shield

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent compliance-review blueprint, but it describes permanent storage of sensitive review activity and outputs without clear retention or deletion controls.

Review before installing or using with real legal, vendor, or personal-data documents. Ask the publisher to document what content is stored, which third-party services receive it, retention duration, deletion options, encryption, access controls, and whether uploads can be redacted or processed in a private deployment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill encourages users to upload potentially sensitive legal, contractual, and cross-border data processing documents for automated analysis, but it does not disclose how those files are handled, whether they are sent to external APIs, where they are stored, or what privacy risks are involved. In a compliance-focused product, this omission is especially risky because users may reasonably assume stronger privacy safeguards than are actually described.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill states that all user actions and analysis results are permanently stored, yet provides no warning, retention policy, or user controls. Because the uploaded materials are likely to contain confidential contracts, privacy policies, vendor agreements, and regulated personal data, indefinite retention materially increases breach exposure, insider misuse risk, and regulatory noncompliance.

Ssd 3

Medium

Confidence: 95% confidence
Finding: Permanent storage of all user actions and analysis outputs creates a durable data exposure surface for sensitive natural-language content, including legal documents and extracted compliance findings. Even without an active exploit in the skill text, the design choice itself raises the likelihood and severity of future leakage through compromise, misconfiguration, overbroad internal access, or secondary use beyond user expectations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal